Skip to content

Commit

Permalink
docs: strengthen network namespace guidance
Browse files Browse the repository at this point in the history 
Warn about giving containers access to the host's network namespace, as
that can unintentionally give access to APIs exposed over abstract
sockets.

Signed-off-by: Samuel Karp <skarp@amazon.com>
  • Loading branch information
@samuelkarp @zmrow
samuelkarp authored and zmrow committed Nov 30, 2020
1 parent 8c7d7bb commit 64c25ca
Showing 1 changed file with 4 additions and 0 deletions.
4 changes: 4 additions & 0 deletions SECURITY_GUIDANCE.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -170,6 +170,10 @@ Network namespaces provide isolation for network resources such as IP addresses,
Containers that share the host network namespace can connect to services listening on the host loopback addresses `127.0.0.1` and `::1`.
These services are not otherwise reachable from the network.

Sharing the network namespace also enables access to abstract sockets.
Containers that share the host network namespace can send messages to processes on the host which expose APIs over abstract sockets.
This can bypass intended restrictions for API access.

PID namespaces provide isolation for the process ID number space.
Containers that share the host PID namespace can interact with processes running on the host.
This includes the ability to send signals to those processes, which may interfere with system functionality.
Expand Down

0 comments on commit 64c25ca

Please sign in to comment.